Under Secretary of Defense for Acquisition and Sustainment
Information Assurance
DFARS Case 2002-D020
Proposed Rule
PART 239—ACQUISITION OF INFORMATION TECHNOLOGY
* * * * *
subpart 239.71—sEcurity and privacy for computer systems
239.7100 Scope of subpart.
This subpart applies to all acquisitions for computer systems [information technology]. It covers both security [includes information assurance] and Privacy Act considerations.
239.7101 General.
[Information assurance includes the protection of information that is entered, processed, transmitted, stored, retrieved, displayed, or destroyed. Security requirements [Information assurance requirements] are in addition to provisions concerning protection of privacy of individuals (see FAR Subpart 24.1).
[239.7102 Definition.
“Information assurance,” as used in this subpart, means measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities.]
239.7102[3] Security against compromising emanations [Policy and responsibilities].
239.7102[3]-1 General.
(a) The National Security or Atomic Energy Acts, as amended, may require protection of information that is
(1) Processed;
(2) Transmitted;
(3) Stored;
(4) Retrieved; or
(5) Displayed.
(b) When acquiring computer equipment to be used to process classified information, the contracting officer shall obtain from the requiring activity—
(1) A determination as to whether the equipment must provide protection against compromising emanations; and
(2) Identification of an established National TEMPEST standard (e.g., NACSEM 5100, NACSIM 5100A) or a standard used by other authority.
(c) When contracts will require the use of FIP resources involving classified data, programs, etc., the contracting officer shall obtain from the requiring activity—
(1) Advice to whether to require contractors performing these services to use equipment meeting the requirements in paragraph (a) of this subsection (as prescribed in the clause at 252.239-7000, Protection Against Compromising Emanations;
(2) Information concerning any requirement for marking of TEMPEST-certified equipment (especially if to be reused); and
(3) Information on how to validate TEMPEST equipment compliance with required standards.
[(a) Agencies shall ensure that information assurance is provided for information technology in accordance with current policies, procedures, and statutes, to include—
(1) The National Security Act;
(2) The Clinger-Cohen Act;
(3) National Security Telecommunications and Information Systems Security Policy No. 11;
(4) Federal Information Processing Standards;
(5) DoD Directive 8500.1, Information Assurance; and
(6) DoD Instruction 8500.2, Information Assurance Implementation.
(b) For all acquisitions, the requiring activity is responsible for providing to the contracting officer—
(1) Statements of work, specifications, or statements of objectives that meet information assurance requirements as specified in paragraph (a) of this subsection;
(2) Inspection and acceptance contract requirements; and
(3) A determination as to whether the information technology requires protection against compromising emanations.]
239.7102-2 Validation of TEMPEST compliance.
Include requirements for validation of TEMPEST compliance in Section E (Inspection and Acceptance) of the contract.
239.7102-3 Contract clause.
When contracting for computer equipment or systems that are to be used to process classified information, use the clause at 252.239-7000, Protection Against Compromising Emanations.
[239.7103-2 Compromising emanations—TEMPEST or other standard.
For acquisitions requiring information assurance against compromising emanations, the requiring activity is responsible for providing to the contracting officer—
(a) The required protections, i.e., an established National TEMPEST standard (e.g., NACSEM 5100, NACSIM 5100A) or a standard used by other authority;
(b) The required identification markings to include markings for TEMPEST or other standard, certified equipment (especially if to be reused); and
(c) Inspection and acceptance requirements addressing the validation of compliance with TEMPEST or other standards.
239.7104 Contract clause.
Use the clause at 252.239-7000, Protection Against Compromising Emanations, in solicitations and contracts involving information technology that requires protection against compromising emanations.]
* * * * *
252.239-7000 Protection Against Compromising Emanations.
As prescribed in 239.7102-3[7104], use the following clause:
PROTECTION AGAINST COMPROMISING EMANATIONS (DEC 1991 [XXX 2003])
(a) The Contractor shall provide or use only computer equipment [information technology], as specified by the Government, that has been accredited to meet the appropriate security [information assurance] requirements of—
(1) The National Security Agency National TEMPEST Standards (NACSEM No. 5100 or NACSEM No. 5100A, Compromising Emanations Laboratory Test Standard, Electromagnetics (U)); or
(2) Other standard[s] specified by this contract.
(b) Upon request of the Contracting Officer, the Contractor shall provide documentation supporting the accreditation.
(c) The Government may, as part of its inspection and acceptance, conduct additional tests to ensure that equipment or systems [information technology] delivered under this contract satisfy [satisfies] the security [information assurance] standards specified. The Government may conduct additional tests—
(1) At the installation site or contractor's facility.[; and]
(2) Notwithstanding the existence of valid accreditations of equipment [information technology] prior to the award of this contract.
(d) Unless otherwise provided in this contract under the Warranty of Supplies or Warranty of Systems and Equipment clauses, the Contractor shall correct or replace accepted equipment or systems [information technology] found to be deficient within one year after proper installations.
(1) The correction or replacement shall be at no cost to the Government.
(2) Should a modification to the delivered equipment [information technology] be made by the Contractor, the one[-]year period applies to the modification upon its proper installation.
(3) This paragraph (d) applies regardless of f.o.b. point or the point of acceptance of the deficient equipment/systems [information technology].
(End of clause)
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- secretary of state for nevada business search
- secretary of the interior standards for rehab
- secretary of interior standards for rehab
- difference between acquisition and procurement
- biden s pick for secretary of education
- secretary of education for biden
- candidates for secretary of education
- secretary of state for new jersey
- kentucky and secretary of state
- nc secretary of state articles for llc
- rating for mo secretary of state
- secretary of state for mo